As far as I know, that specific case is only for tokens that are invalid and the cryptography library is unable to decrypt them (the cases where InvalidToken is raised from decrypt [0].) If a token is considered invalid from the cryptography library, it's actually not decipherable. Logging the invalid token/value shouldn't expose anything of value because there is no payload associated with the token/value.
We handle the expiration case differently, which is checked within keystone and not the cryptography library. If a token is expired, we don't log it [1]. Even though the token is expired, the values within the payload, like user and project IDs, may still be valid. While keystone won't consider an expired token valid, an attacker could use it to try and glean information about the user, project, domain, etc. You're absolutely right in that logging expired tokens would be expose a vulnerability. In my testing so far, I don't see any logged tokens for this case. If there are places where we write an actual expired token to logs, we should re-open this issue. [0] https://github.com/pyca/cryptography/blob/ef027a69808d045dffc3b4db274d67cea1be9f3a/src/cryptography/fernet.py#L73-L122 [1] https://github.com/openstack/keystone/blob/b4990dcc31fcd1e53c97fff38088fc0d50dd7d3f/keystone/token/provider.py#L213 ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1680289 Title: Keystone logs fernet token when token is invalid Status in OpenStack Identity (keystone): Invalid Bug description: If an incorrect token is passed for keystone validation (verify token), Keystone logs the token : https://github.com/openstack/keystone/blob/b4990dcc31fcd1e53c97fff38088fc0d50dd7d3f/keystone/token/providers/fernet/token_formatters.py#L94 As this is either an invalid or expired token and of no use to anyone , logging this does not pose any vulnerability (unless an expired fernet token can be used for anything). In any case, it might be better to not log the entire token . To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1680289/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
